Sony Ericsson K200i with SAMSUNG flash

Fri Dec 1 16:01:49 UTC 2023

Hi Vadim,

> Of course the MS Classmark does not contain any bits related to the 
> codec support.  I meant to say the Bearer Capability, but wrote this 
> instead.  In any case, for the sake of completeness, I will compare both 
> the Bearer Capability and the Classmark between those firmware versions 
> and post my findings here soon.

Now that we are clear as to which air interface bits are involved, I
refer back to your original comment:

> The only difference between R1AA003 and R1AA008 I could find so far is 
> AMR codec support: the former does not list it in the hidden "Service" 
> menu.

I find it very intriguing that a phone manuf created a hidden service
menu command that (presumably) enables or disables AMR inclusion in
the advertised speech version list.  I would find it very interesting
if you could check with your test network to see if that hidden service
menu setting really does what I just assumed.  As to possible reasons
why they thought about artificially disabling AMR, please refer to the
Calypso presentation I just did on OsmoDevCall: AMR support in plain
Calypso (as opposed to LoCosto or *possibly* Calypso+) is crippled in
that it can't do DTXu - hence you have to choose between DTXu (battery
saving) and AMR (potentially better call quality under poor radio
conditions) with all Calypso phones...

> === SAMSUNG flash ===
> [...]
> Confirmed Samsung K5L29xx_A or compatible
> Global status word 3: 0000
> Global status word 7: 0000
> Sector at 0x0: locked
> Sector at 0x2000: unlocked
> Sector at 0x4000: unlocked
> Sector at 0x6000: unlocked
> Sector at 0x8000: unlocked
> Sector at 0xA000: unlocked
> Sector at 0xC000: unlocked
> Sector at 0xE000: unlocked
> Sector at 0x10000: locked
> Sector at 0x20000: unlocked
> [...]
> Password Protection Mode lock: 0000
> Persistent Protection Mode lock: 0000

The lock state you are seeing (including the parts I omitted from quote)
is the same as what I see on my K220i with the same flash.  I haven't
tried it on my K200i (also Samsung flash), but I expect it to be the
same.

> === Spansion flash ===
> [...]
> Found PL129N
> Global status word 3: 0080
> Sector at 0x0: locked
> Sector at 0x10000: locked
> Sector at 0x20000: unlocked
> Sector at 0x30000: unlocked
> Sector group at 0x40000: unlocked
> [...]
> PL-N Lock Register: FFFF

This lock state differs from the one seen with Samsung flash because
it's a newer flash chip with some significant changes (Samsung K5L29
corresponds to S71PL129J, but the Spansion chip used by SE here is
S71PL129N), but the two lock states do correspond logically.  The same
two sectors are locked on both flash chips: the boot sector at 0 and
the IMEI sector at 0x10000.

In both cases, there are NO "hard" security features activated, hence
on both flash chips we should be able to clear those non-volatile
sector lock bits (called PPBs or persistent protection bits) and
unlock all sectors.  The programming procedure for these PPB operations
is quite different between Spansion PL-J + Samsung on one hand vs
Spansion PL-N on the other hand: the way it is done on PL-N is sane
and straightforward, whereas on PL-J and Samsung flash the raw guts of
flash physics are exposed, requiring the programmer to do "pulse,
verify and repeat" and "program all before erase" logics explicitly -
but I am taking it as a sportive challenge to implement fc-loadtool
support for both.  I will need some time to implement it, though.

M~